Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Send commands to minicondor from outside the container

Hi Cole,

 

Thanks you for your answer, but I ended up finding the setting that worked for me. All I needed to do was to add the two following lines to the 00-minicondor file:

SEC_DEFAULT_AUTHENTICATION_METHODS = FS, CLAIMTOBE

SEC_CLIENT_AUTHENTICATION_METHODS = FS, CLAIMTOBE

After a condor_reconfig, I can submit jobs from the host machine and even from other containers 😊

 

That being said, what I cannot do is run the condor_reconfig command itself from host machine or containersâ

I get the exact same error when I try to do so, so I tried adding all the other authentication methods to the file as well:

SEC_DEFAULT_AUTHENTICATION_METHODS = FS, CLAIMTOBE

SEC_CLIENT_AUTHENTICATION_METHODS = FS, CLAIMTOBE

SEC_READ_AUTHENTICATION_METHODS = FS, CLAIMTOBE

SEC_WRITE_AUTHENTICATION_METHODS = FS, CLAIMTOBE

SEC_ADMINISTRATOR_AUTHENTICATION_METHODS = FS, CLAIMTOBE

SEC_CONFIG_AUTHENTICATION_METHODS = FS, CLAIMTOBE

SEC_DAEMON_AUTHENTICATION_METHODS = FS, CLAIMTOBE

SEC_NEGOTIATOR_AUTHENTICATION_METHODS = FS, CLAIMTOBE

SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS = FS, CLAIMTOBE

SEC_ADVERTISE_STARTD_AUTHENTICATION_METHODS = FS, CLAIMTOBE

SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS = FS, CLAIMTOBE

 

I also set ALLOW_ADMINISTRATOR = * and SEC_DEFAULT_AUTHENTICATION = OPTIONAL, but that does not fix itâ

 

Here is what the MasterLog says:

 

GSS Major Status: General failure

GSS Minor Status Error Chain:

globus_gsi_gssapi: Error with GSI credential

globus_gsi_gssapi: Error with gss credential handle

globus_credential: Valid credentials could not be found in any of the possible locations specified by the credential search order.

Valid credentials could not be found in any of the possible locations specified by the credential search order.

Attempt 1

globus_credential: Error reading host credential

globus_sysconfig: Could not find a valid certificate file: The host cert could not be found in:

1) env. var. X509_USER_CERT

2) /etc/grid-security/hostcert.pem

3) $GLOBUS_LOCATION/etc/hostcert.pem

4) $HOME/.globus/hostcert.pem

 

The host key could not be found in:

1) env. var. X509_USER_KEY

2) /etc/grid-security/hostkey.pem

3) $GLOBUS_LOCATION/etc/hostkey.pem

4) $HOME/.globus/hostkey.pem

 

 

Attempt 2

globus_credential: Error reading proxy credential

globus_sysconfig: Could not find a valid proxy certificate file location

globus_sysconfig: Error with key filename

globus_sysconfig: File does not exist: /tmp/x509up_u0 is not a valid file

Attempt 3

globus_credential: Error reading user credential

globus_sysconfig: Error with certificate filename: The user cert could not be found in:

1) env. var. X509_USER_CERT

2) $HOME/.globus/usercert.pem

3) $HOME/.globus/usercred.p12

 

 

 

03/02/23 15:56:02 DC_AUTHENTICATE: required authentication of 127.0.0.1 failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SCITOKENS|AUTHENTICATE:1004:Failed to authenticate using GSI|GSI:5003:Failed to authenticate.  Globus is reporting error (851968:203).  There is probably a problem with your credentials.  (Did you run grid-proxy-init?)|AUTHENTICATE:1004:Failed to authenticate using KERBEROS|AUTHENTICATE:1004:Failed to authenticate using IDTOKENS|AUTHENTICATE:1004:Failed to authenticate using FS|FS:1004:Unable to lstat(/tmp/FS_XXXeQWHFT)

 

Thanks,

GaÃtan

 


Gaetan Geffroy
Junior Software Engineer
Terma GmbH
T +49 6151 86005 43 (direct)
 


 

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of Cole Bollig via HTCondor-users
Sent: Thursday, March 2, 2023 16:21
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Cc: Cole Bollig <cabollig@xxxxxxxx>
Subject: Re: [HTCondor-users] Send commands to minicondor from outside the container

 

CAUTION: This email originated from outside of Terma. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi Gaetan,

 

I have a couple of questions about your setup:

  1. How are you trying to run the tools? I just want to confirm that you are trying to run a mini-condor container and use the condor tools and python bindings that exist in the container on the host machine. Or are you trying to just submit the test/prototype jobs in the mini-condor container?
  2. Do you have condor installed on your local host?

-Cole Bollig

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Gaetan Geffroy <gage@xxxxxxxxx>
Sent: Monday, February 27, 2023 11:59 AM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: [HTCondor-users] Send commands to minicondor from outside the container

 

Hi,

 

I use a htcondor/mini Docker container to test and prototype on Condor.

If I open a bash inside the container I can use the commands just fine, but what I want to do is to have access to then and the Python bindings from the host machine, or from another container.

I run the container like this:

 

docker run -it --network host --name condor --rm \

-v /var/run/docker.sock:/var/run/docker.sock \

htcondor/mini:9.0.16-el7

 

Then, I take a copy of the config file 00-minicondor, put it on the host machine and have the CONDOR_CONFIG env var to point at it.

This works fine for things like condor_q or condor_status, but when I try to use condor_submit I get the following:

 

Submitting job(s)

ERROR: Failed to connect to local queue manager

AUTHENTICATE:1003:Failed to authenticate with any method

AUTHENTICATE:1004:Failed to authenticate using SCITOKENS

AUTHENTICATE:1004:Failed to authenticate using GSI

GSI:5003:Failed to authenticate.  Globus is reporting error (851968:101).  There is probably a problem with your credentials.  (Did you run grid-proxy-init?)

AUTHENTICATE:1004:Failed to authenticate using KERBEROS

AUTHENTICATE:1004:Failed to authenticate using IDTOKENS

AUTHENTICATE:1004:Failed to authenticate using FS

 

So, I tried things like to set SEC_DEFAULT_AUTHENTICATION = NEVER, SEC_DEFAULT_AUTHENTICATION_METHODS = CLAIMTOBE, FS, ALLOW_WRITE = * and use security:host_based.

None of these work.

 

What more can I do if even disabling authentication did not work ?

 

Thanks,

 

GaÃtan

 


Gaetan Geffroy
Junior Software Engineer, Space

Terma GmbH
Europaarkaden II, BratustraÃe 7, 64293 Darmstadt, Germany
T +49 6151 86005 43 (direct)  â  T +49 6151 86005-0
Terma GmbH - Sitz Darmstadt  â  Handelsregister Nr.: HRB 7411, Darmstadt
GeschÃftsfÃhrer: Poul Vigh / Steen Vejby SÃrensen
www.terma.com â Linkedin â Twitter â Instagram â Youtube

Attention:
This e-mail (and attachment(s), if any) - intended for the addressee(s) only - may contain confidential, copyright, or legally privileged information or material, and no one else is authorized to read, print, store, copy, forward, or otherwise use or disclose any part of its contents or attachment(s) in any form. If you have received this e-mail in error, please notify me by telephone or return e-mail, and delete this e-mail and attachment(s). Thank you.